[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1002014: marked as done (debian-edu-config: Kerberos host principals change far too often)



Your message dated Wed, 29 Dec 2021 17:33:29 +0000
with message-id <E1n2cpN-000IRn-U6@fasolo.debian.org>
and subject line Bug#1002014: fixed in debian-edu-config 2.12.15
has caused the Debian Bug report #1002014,
regarding debian-edu-config: Kerberos host principals change far too often
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1002014: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1002014
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: debian-edu-config
Version: 2.12.14
Severity: important

Currently, with every edit operation on a GOsa² system, the Host (and nfs) Principal(s) of that host get updated (changed). This is especially problematic if you use krb5i based NFS acrosse a school site from various workstations.

The problem is that whever some admin edits a host in GOsa², this host will loose NFS connectivity to /srv/nfs/home0 until the /etc/krb5.keytab has been updated on that client host. This is hardly maintainable.

The underlying reason is in the gosa-modify-host hook script. The scripts runs add_principal for host/<client> and nfs/<client> after every save operation on a GOsa² system. We need to check here, if those Kerberos principals already exist and only if not, then add those principals.

This has been discussed with Wolfgang Schweer on IRC...

22:03 < sunweaver> as mentioned yesterday, I played with krb5i and diskless workstation quite a bit yesterday. 22:03 < sunweaver> I basically managed to get a Debian Edu 10 and 11 DLW (diskless workstation) running against a Debian Edu 11 TJENER.
22:03 < sunweaver> However...
22:04 < sunweaver> Whenever I edit either the client or the TJENER in GOsa, the principal gets updated in krb5-ldap and my krb5.keytab becomes invalid.
22:05 < schweer> hm, then the keytab needs to be updated, too.
22:05 < sunweaver> This is happening in gosa-modify-host which simply runs an add_principal for that host.
22:05 < schweer> yes.
22:05 < sunweaver> I was wondering, if this gosa-modify-host way-of-doing-things is intentional.
22:05 < schweer> yes, intentional, but obviously suboptimal
22:05 < sunweaver> because, I'd rather check if the host (and nfs) principals exist in krb5-ldap and only create them if they don't exist.
22:06 < schweer> good idea
22:06 < sunweaver> because then, the principals won't change that often as they do now.
22:06 < sunweaver> and krb5.keytab files stay valid
22:06 < sunweaver> I'll propose a patch, then.
22:07 < schweer> feel free to improve gosa-modify-host
22:07 < sunweaver> will do, np.
22:07 < schweer> just commit that change
22:07 < sunweaver> (you provided great work, however, I'll do a little QA over the next couple of days, if ok).
22:08 < schweer> very appreciated

I'll propose a patch for this which then will require to be integrated in next Debian 11 point release.

light+love
Mike
--

DAS-NETZWERKTEAM
c\o Technik- und Ökologiezentrum Eckernförde
Mike Gabriel, Marienthaler Str. 17, 24340 Eckernförde
mobile: +49 (1520) 1976 148
landline: +49 (4351) 850 8940

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

Attachment: pgpgm_hWArwSd.pgp
Description: Digitale PGP-Signatur


--- End Message ---
--- Begin Message ---
Source: debian-edu-config
Source-Version: 2.12.15
Done: Holger Levsen <holger@debian.org>

We believe that the bug you reported is fixed in the latest version of
debian-edu-config, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1002014@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Holger Levsen <holger@debian.org> (supplier of updated debian-edu-config package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 29 Dec 2021 18:15:27 +0100
Source: debian-edu-config
Architecture: source
Version: 2.12.15
Distribution: unstable
Urgency: medium
Maintainer: Debian Edu Developers <debian-edu@lists.debian.org>
Changed-By: Holger Levsen <holger@debian.org>
Closes: 1002014
Changes:
 debian-edu-config (2.12.15) unstable; urgency=medium
 .
   [ Mike Gabriel ]
   * share/d-e-c/tools/gosa-modify-host: Only create Kerberos host and service
     principals if they don't yet exist. (Closes: #1002014).
   * share/d-e-c/tools/copy-host-keytab: Restart nfs-common/rpc-gssd after
     having copied over /etc/krb5.keytab. This avoids rebooting for applying
     the copied over changes.
   * share/d-e-c/tools/gosa-create-host: Fix copy+paste flaw in comment.
 .
   [ lintian-brush ]
   * Add missing build dependency on dh addon.
Checksums-Sha1:
 1928b35bf1d4e8dec1d80a0af6e6e9149afc9d88 2026 debian-edu-config_2.12.15.dsc
 6f05009d0bc49f4d116d8129d25bed0464027526 346728 debian-edu-config_2.12.15.tar.xz
 1fb011efed5c41064a012c5c14bc14e1aede1d17 5302 debian-edu-config_2.12.15_source.buildinfo
Checksums-Sha256:
 eb6318157dc08e600418f4cc7cabdf1b92c4f689bdbd540ae3e97fac70ef5d8c 2026 debian-edu-config_2.12.15.dsc
 dbce00830f808c4da2584e695c97e00853fa3cb3fbb836616837501b73b640f8 346728 debian-edu-config_2.12.15.tar.xz
 762d9fb7b1d876f75935547ddfc4ff15c6f42029985a95c1f31adb5bf311b864 5302 debian-edu-config_2.12.15_source.buildinfo
Files:
 3b34e51c31ad3a736e963d63d88e0d73 2026 misc optional debian-edu-config_2.12.15.dsc
 27cc2968fc504830188052e301363192 346728 misc optional debian-edu-config_2.12.15.tar.xz
 b0bf2504377dd4dd6a2e6140c66923ee 5302 misc optional debian-edu-config_2.12.15_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEuL9UE3sJ01zwJv6dCRq4VgaaqhwFAmHMmG0ACgkQCRq4Vgaa
qhwOfhAAkumviMwUckZZCdl/fLmsEgJrsId0yKUOAbFZFxPax0uElGNQQWMHZYtX
nh2FqSwTirps2Bp3aDLcx3JzsQ2p99nMRfFmUQ9dn6ghmc0rItEgzaoDuy+tR83B
225xAoCKheIGgQSdbyYFHXb/ksq+FUHvCQBGlHNGfpKw2y9Xoo+/aRGKQKZm9sVJ
2HmQQxntxkDgr6DnxTna7i7cFLGG4CC0VzCWJB1+aO8e82YMX9fA70M7rcm3/EK7
WKZFtiwGLrE/u0ESxhC4dz3kNg/eXyc8cDEut/DYKeLnmFX9Sk+pdD1l/JT+JuII
+wiHezRpL8WOzCBYSpDDR0kNoS6YlJLYTXrOe7VF7Sq7pBY8diEUaPRl8zrmLdRQ
JMABJ0VGebqjLjuLHjL3PQ0TYIttR7gx9lIwS7+xGWG41Rmek1+Q9xsRPR+vMTfR
dmjEM2VwAbJEsIRLnzVIbMmTDC8VKXuJKK2DVDG95KwiEvHO6bbwsZME0ce9NEPV
JsEKfjEi5wCjo32ARbrbrlb4PkCxNIGdg1ANRk7kHZZBRNZQpsso1f7NUHF3Yo93
sjvt9EMzyw0NVN/mf60stOrJkEs/iQL6eLbdpjT0r/t5djYqabArIwtzzFInq7cO
1SgeWeuE2UWXwXD6iZfyo8Ht8GZX4UrlNOfQimMfTsNo8QFl1hY=
=ykAG
-----END PGP SIGNATURE-----

--- End Message ---

Reply to: